Computers have traditionally communicated with each other through wired local area networks (“LANs”). However, with the increased demand for mobile computers such as laptops, personal digital assistants, and the like, wireless local area networks (“WLANs”) have developed as a way for computers to communicate with each other through transmissions over a wireless medium using radio signals, infrared signals, and the like.
In order to promote interoperability of WLANs with each other and with wired LANs, the IEEE 802.11 standard was developed as an international standard for WLANs. Generally, the IEEE 802.11 standard was designed to present users with the same interface as an IEEE 802 wired LAN, while allowing data to be transported over a wireless medium.
Although WLANs provide users with increased mobility over wired LANs, the quality of communications over a WLAN may vary for reasons that are not present in wired LANs. For example, everything in the environment may behave as a reflector or attenuator of a transmitted signal. As such, small changes in the position of a computer in a WLAN may affect the quality and strength of a signal sent by the computer.
Wired Equivalent Privacy (“WEP”) is a protocol for encrypting wireless packets on IEEE 802.11 network. Although the WEP protocol is known to be insecure and has been superseded by Wi-Fi Protected Access (“WPA”) protocol, it still is in widespread use today. Typically, in WEP protocol a fixed secret key is concatenated with known initialization vector (“IV”) modifiers to encrypt different messages. In WEP-protected networks, both an access point and radio stations may share common key Rk. For each packet, a 24-bit IV may be chosen. A per packet key K=IV|Rk key may be used to encrypt the packet using the RC4 stream cipher.
In 2001, Fluhrer, Martin and Shamir in paper entitled “Weaknesses in the Key Scheduling Algorithm of RC4” presented an attack against RC4 encryption (aircrack-ng implementation: http://www.aircrack-ng-ng.org). In 2005, Andreas Klein showed an improved way of attacking RC4 and can discover the WEP key with a significantly reduced number of frames (aircrack-ptw implementation: http://www.cdc.illformatik.tu-darmstadt.de/aircrack-ptw).
Both attacks monitor the network traffic and collect ARP-reply packets sent from the Access Point to discover the WEP keys. Typically, the first 16 bytes of clear text of an ARP packet are fixed for every ARP packet (AA AA 03 00000008 06 . . . ). Further, ARP-reply packets having a fixed size, can usually be easily distinguished from other network packets.
Typically, by applying an exclusive-or (“XOR”) operation to a captured encrypted ARP packet with these fixed patterns, hackers may recover the first 16 bytes of the key stream. Collecting key stream bytes plus the IVs from packets may determine the WEP Keys.
Accordingly, such encryption attacks can present security problems in wireless networks.